fix(backend-native): Pass req.securityContext to Python config (#9049)

This is necessary for `extend_context`. By the time `extendContext` is called, `req` in JS-land is already extended with `securityContext` after `checkAuth`, and JS config receives it with extensions.
cube-js · Dec 18, 2024 · 95021f2 · 95021f2
1 parent 171ea35
commit 95021f2
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 0 deletions.
diff --git a/packages/cubejs-backend-native/js/index.ts b/packages/cubejs-backend-native/js/index.ts
@@ -352,6 +352,7 @@ export interface PyConfiguration {
   repositoryFactory?: (ctx: unknown) => Promise<unknown>,
   logger?: (msg: string, params: Record<string, any>) => void,
   checkAuth?: (req: unknown, authorization: string) => Promise<{ 'security_context'?: unknown }>
+  extendContext?: (req: unknown) => Promise<unknown>
   queryRewrite?: (query: unknown, ctx: unknown) => Promise<unknown>
   contextToApiScopes?: () => Promise<string[]>
   contextToRoles?: (ctx: unknown) => Promise<string[]>
@@ -365,6 +366,11 @@ function simplifyExpressRequest(req: ExpressRequest) {
     method: req.method,
     headers: req.headers,
     ip: req.ip,
+
+    // req.securityContext is an extension of request done by api-gateway
+    // But its typings currently live in api-gateway package, which has native-backend (this package) as it's dependency
+    // TODO extract typings to separate package and drop as any
+    ...(Object.hasOwn(req, 'securityContext') ? { securityContext: (req as any).securityContext } : {}),
   };
 }
 

diff --git a/packages/cubejs-backend-native/test/config.py b/packages/cubejs-backend-native/test/config.py
@@ -20,6 +20,23 @@ async def check_auth(req, authorization):
     }
 
 
+@config('extend_context')
+def extend_context(req):
+  print("[python] extend_context req=", req)
+  if "securityContext" not in req:
+    return {
+      "security_context": {
+        "error": "missing",
+      }
+    }
+
+  req["securityContext"]["extended_by_config"] = True
+
+  return {
+    "security_context": req["securityContext"],
+  }
+
+
 @config
 async def repository_factory(ctx):
     print("[python] repository_factory ctx=", ctx)

diff --git a/packages/cubejs-backend-native/test/python.test.ts b/packages/cubejs-backend-native/test/python.test.ts
@@ -43,6 +43,7 @@ suite('Python Config', () => {
       pgSqlPort: 5555,
       preAggregationsSchema: expect.any(Function),
       checkAuth: expect.any(Function),
+      extendContext: expect.any(Function),
       queryRewrite: expect.any(Function),
       repositoryFactory: expect.any(Function),
       schemaVersion: expect.any(Function),
@@ -83,6 +84,31 @@ suite('Python Config', () => {
     expect(await config.contextToApiScopes()).toEqual(['meta', 'data', 'jobs']);
   });
 
+  test('extend_context', async () => {
+    if (!config.extendContext) {
+      throw new Error('extendContext was not defined in config.py');
+    }
+
+    // Without security context
+    expect(await config.extendContext({})).toEqual({
+      security_context: {
+        error: 'missing',
+      },
+    });
+
+    // With security context
+    expect(await config.extendContext({
+      securityContext: { sub: '1234567890', iat: 1516239022, user_id: 42 }
+    })).toEqual({
+      security_context: {
+        extended_by_config: true,
+        sub: '1234567890',
+        iat: 1516239022,
+        user_id: 42
+      },
+    });
+  });
+
   test('repository factory', async () => {
     if (!config.repositoryFactory) {
       throw new Error('repositoryFactory was not defined in config.py');